EXPERIMENTING WITH HARDENING QEMU

25 Oct 2014 by Curtis

In this post I will explore compiling QEMU with less option/drivers, thereby removing some code to theoretically make QEMU more secure.

First off I want to note that this is an experiment. I'm not working on this for a production system, and I haven't worked a lot with QEMU compilation nor what code is necessary or unnecessary for my particular application. I'm just messing around, trying to learn some things about qemu, what code is in it by default, and what code could be removed via compile options.

Having said that, the OpenStack Security Guide does talk about compiling a custom QEMU so that it can be "hardened," which includes turning off options/drivers that aren't needed.

Environment

I'm going to try this out on Ubuntu Trusty 14.04 using a Vagrant box.

First, we need git.

root# apt-get install git -y

Next clone the QEMU project code.

root# git clone git://git.qemu-project.org/qemu.git

Get all the other things you need to compile QEMU.

root# apt-get build-dep qemu -y

Configure options

Using ./configure --help we can see there are all kinds of things we can disable and thus probably break QEMU. :)

Disable bluez

I see bluez there, guessing that is something to do with bluetooth (apparently it is the official bluetooth linux stack). Trying not to make a joke about QEMU having the "bluez." Why would we need bluetooth in QEMU? There is probably a good reason, but let's pick on it anyways and disable it.

Conclusion

We don't always have to run a stock system. In some cases it may be completely valid to work towards enhancing security by reducing the attack surface of the QEMU system through disabling drivers and options. In fact the OpenStack security guide mentions doing just that, as well as other compile time options to harden QEMU. Of course knowing what to leave in and what to take out, as well as being able to support that decision in production, is where all the real work is.

In future posts I hope to continue to explore reducing the attack surface of QEMU.